DFIR-02 : Journal Forensics

NTFS Journaling (Transaction Logging)

Windows NTFS uses a journaling technique that records a sequence of file changes in the $LogFile. Windows does a good job at maintaining data consistency after critical failures that cause the system to shut down unexpectedly. Specifically, NTFS logs file transactions when:

• Creating a file

• Deleting a file

• Extending a file

• Truncating a file

• Setting file information

• Renaming a file

• Change the security applied to a file

The previously analyzed $MFT file keeps a $LogFile Transaction entry at offset 08 to 15 and this is how MFT correlates with other metadata attributes in the NTFS file system.

From a forensics' perspective these records are valuable when it comes to creating a timeline of transactions.

NTFS change tracking journals :

$UsnJrnl:

• Tracks file and directories changed on the system via the USN (Update Sequence Number) journal.

• Available in the root directory under $Extend folder.

• Contains two ADS (alternate data stream) :

  • $Max : Where the meta data of change log is stored

  • $J : Where the actual change log records are stored.

$LogFile:

• Track changes to MFT metadata.

• Available at the root directory.

Tools

In order to parse these journals here are some great free tools :

• UsnJrnl2Csv

• Triforce ANJP

• KAPE

Tutorial

Here is a great video by @13cubed on how to parse and use these journals :